> when executed as "bind_nuke bogus.org" on a host, that bogus.org's
> primary NS is configured to accept updates from, will cause named
> to silently die. Nothing in the logs, nothing on the console.
... and of course, we all realize that there is no such thing as a BIND
denial-of-service-only attack. Anything that can cause an arbitrary
nameserver to die, or even not answer queries for a significant amount of
time, allows for trivial brute-force ID-guessing attacks.
Until DNSSEC is fully deployed on the net, or the BIND maintainers
integrate real ID-guessing countermeasures, the stability of the BIND
named service is security-critical.
Just some food for thought.
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbfenteract.com]
----------------
"If you're so special, why aren't you dead?"